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REMARKS/ARGUMENTS 

1 . ) Status of the Ctaims 

Claims 1, 3-16, 18-25, and 27-30 are pending in the appiication. Favorable 
reconsideration of the application is respectfully requested in view of the following 

remarks. 

2. ) CJalm Rejections - 35 U.S.C. § 103 (a) 

Claims 1, 3-16, 18-25, and 27-30 stand rejected under 35 U.S.C. § 103(a) as 
being unpatentable over Thomas, et a/. (U.S. Patent Publication No. 2004/0039827) in 
view of Karjala, et ai (U.S. Patent Publication No. 2004/0268148). Applicant 
respectfully traverses these rejections. 

!n the present case, Applicant respectfully submits that the Examiner has failed 
to establish a prima facie case of obviousness, since the cited references Thomas and 
Karjala, either alone or in combination, fail to teach or suggest all of the claimed 
elements. Initially, Applicant notes that, in the Appeal Brief filed on October 28, 2010, 
Applicant pointed out various deficiencies of both Thomas and the secondary reference, 
Lev Ran. In response, the Examiner has merely replaced lev Ran with Karjala, but has 
failed to address or rebut am^ of the specific arguments submitted regarding Thomas. 
Nevertheless, Applicant maintains that, due to the deficiencies of both references, the 
pending claims are in condition for allowance. 

Claim 1 

For instance, independent claim 1 recites the following; 

1, An Appflcatfon Gateway Module suitable for use in a 
teiecommunication system wherein a service network authenticates a user and 
authorizes the user for accessing a service offered by a sen/ice provider, the 
Appiication Gateway Module arranged for intercepting application messages 
between the user and the service and for identifying said user and said service, 
and including: 

means for obtaining an authorization decision on whether the user is 
allowed to access the service; 



Page 10 of 18 



Appt. No, 1Q/S9$,496 

Arr>di. Datsjii June 13, 201 1 

Reply to Office action of March 11 . 2011 

Attorney Docket No. P18123-US1 

the Application Gateway Module comprising; 

means for assigning a service session identifier intended to identify those 
application messages exchanged between the user and the service and that 
belong to a same service deitven,' authorized for said user; 

means for configuring a first finite-state machine with a number of statuses 
intended to identify specific events in service delivery, the first finite state machine 
configured to control service progression 

means for initiating a specific instance of the first finite-state machine, said 
specific instance being identified by the assigned service session identifier; and 

means for activating service policies applicable to said specific events and 
resulting in a state transition in the specific instance identified by the assigned 
service session identifier. 



Many of these claimed eleaients are not found in either Thomas or Karjala. 
Initially, the Office Action reiies on the new secondary reference Kaijala as disclosing 
"activating service policies applicable to said specific events." However, as noted below 
in more detai!, the claimed specific events are related to statuses of the claimed fsnite- 
sate machine, and the claimed service policies applied to the specific events result in 
state transitions in the specific instance identified by the assigned service session 
identifier. The cited portion of Karjala, however, merely discusses types of automated 
and manual certificate enrollment in a VPN authentication process. Karajala, % 0047. 
Applicant respectfully contends that this fails to teach of suggest the specific claimed 
limitation. 

Also, as stated previously, Applicant respectfully contends that Thomas fails to 
disclose or suggest multiple claim limitations. Paragraphs [0064]-[0067| disclose an 
intermediary server that the Examiner interprets as reading on the claimed Application 
Gateway Module. Thomas also discloses in paragraph [0259] an LSP intercepting calls, 
this LSP being part of a Microsoft OS such as Windows for securing communications to 
or from sockets. In addition, Thomas discloses in [0260] the LSP being part of the 
intermediary server. The Examiner also interprets this LSP as being part of the claimed 
Application Gateway yodule. However, Thomas does not disclose where the LSP 
identifies the user and the service from the intercepted messages. Instead, the LSP is 
intended to communicate different applications with Windows sockets and, as such, 
there is no disclosure that the LSP may identify a user accessing a service in a service 
network, simply because this is not a task for the LSP service. Thus, Applicant 
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respectfuiiy contends that the interpretation made by the Examiner that the intermediary 
server with the LSP reads on the claimed Application Gateway Module, which is 
arranged for intercepting application messages between the user and the service and 
for identifying said user and said service, is incorrect. 

In addition, Thomas discloses in [0073]-[0075] an authentication procedure 
carried out when the user first tries to login to the system, and when this autheritication 
is successful, the user is given a session identifier to be presented to access the various 
resources sn the private netw'ork through the intermediary server. Hov^/ever, even if 
Thomas discloses a user authentication, these paragraphs fail to teach or suggest the 
claimed means for obtaining an authorization decision on whether the user is allowed to 
access the service, since authentication and authorization are well known to be different 
techniques. 

Furthermore, Thomas discloses in paragraph [0075] providing a session identifier 

to the requestor as a result of a successful authentication, this session identifier used in 
subsequent requests to the intermediary server as long as the session is active. 
Subsequent requests to the intermediary server may correspond to a same or to 
different services and, generally speaking, are related to the session established 
between the authenticated user and the intermediary server. As commented above, 
Thomas discloses in [00731-E0075| ".„the user is given a session Identifier to be 
presented to access the various resources In the private network..." !n contrast, claim 1 
recites "assigning a service session identifier intended to identify those application 
messages exchanged between the user and the service and that belong to a same 
service delivery authorized for said user ." Therefore, in claim 1 there is one service 
session identifier for each service delivery, so that, where more than one service Is 
delivered within a session, corresponding more than one service session identifiers are 
assigned. Consequently, the "session identifier used In subsequent requests to the 
intermediary server as long as the session is active" disclosed on paragraph [0075] of 
Thomas, even if similarly worded, faifs to disclose or suggest the "service session 
identifier intended to identify those appiication messages exchanged between the user 
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and the service and that belong to a same service delivery authorized for said user" 
recited in the pending claim 1 . 

Thomas also discioses in paragraph [0286] a state machine, in Thomas's 
disclosure, "the state machine is based on characteristics of the Windsocl< API and/or 
communication protocol API can handfe the port mapped data." This passage does not 
teach "configuring a first finite-state machine with a number of statuses intended to 
identify specific events in service delivery, the first finite-state machine configured to 
contro! service progression," Specificaiiy, Thomas fails to dssdose statuses intended to 
identify specific events in service delivery, because APIs are mere descriptions of how 
communications between layers are carried out, rather than service progression. 
Moreover, Thomas's paragraphs [0286j-t0287] deal with the selection of ioopback 
addresses and ports involved in the LSP interception {already commented above) and 
this has nothing to do with the service progression of a service authorized for a user. 
Consequently, the specific state machine recited in claim 1 is different from the specific 
state machine disclosed in Thomas, which is at least a non-enabling disclosure. 

Stii! with reference to Thomas's paragraph [0286], and in the light of paragraph 
[00691, the Office Action contends this disclosure teaches the claimed feature "inttiating 
a specific instance of the first finite-state machine, said specific instance being identified 
by the assigned service session identifier," As already commented above, Thomas's 
paragraph [0286] merely discloses "the state machine is based on characteristics of the 
Windsock API and/or communication protocol API can handle the port mapped data," 
whereas Thomas's paragraph [0069] discloses the intermediary server including a 
cookie manager. This cookie manager manages cookies previously received from a 
remote server and stored unti! being delivered to the remote server at appropriate times. 
These cookies are said to be set by a remote server and used for session, state or 
identification purposes. That is, Thomas discloses in (0069) cookies set by the remote 
server, submitted from the remote server to the intermediary server ( which the Office 
Action has interpreted as the claimed Application Gateway module ), stored at the 
intermediary server, and returned from the intermediary server to the remote server at 
appropriate times. This teaching does not suggest an "Application Gateway Module 
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having means for Initiating a specific instance of the fis^t finite-state machine, said 
specific instance being identified by the assigned service session identifier" as recited in 
ciaim 1 , and by no means can be similarly interpreted even if isoJated words like 'state' 
and 'session' appear in Thomas's paragraph [0069j. 

!n this regard, Thomas's paragraph [0069] does not disclose the AppHcation 
Gateway Module (intermediary server in the interpretation of the Office Action) having 
means for initiating a specific instance of the first finite-state machine cited in Thomas's 
paragraph [0286], since there is no teaching or suggestion to combine cookies received 
from the remote server with "the state machine is based on characteristics of the 
Windsock API and/or communication protocol AP! can handle the port mapped data." 
Consequently, there is no disclosure or suggestion in view of Thomas's paragraphs 
[0069] or [02861 of identifying such (undisclosed) specific instance of the state machine 
by the assigned service session identifier. Therefore, Thomas's paragraph {0069] 
cannot be naturaliy combined with paragraph [0286] and, even if combined, the 
paragraphs [0069] and [0286] fail to disclose the claimed "Application Gateway Module 
having means for initiating a specific instance of the first finite-state machine, said 
specific instance being identified by the assigned service session identifier," Moreover, 
combining the cookies received from a remote server, as disclosed in Thomas's 
paragraph [0069], with the state machine based on characteristics of the Winsock APi, 
as disclosed in Thomas's paragraph [0286], does not make any technical sense for one 
skilled in the art that uses cookies as identifiers and follows API's for communication 
between different applications or application layers. 

In view of at least the foregoing, Applicant respectfully submits that the 
independent claim 1 and the corresponding dependent claims 3-14 are patentable over 
Thomas, Karjala, or any combination thereof 

Ciaim 15 

Independent claim 15 recites the following: 
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15. An Authorization Module suftabie for use in a teiecommunication 
system vv'herein a service network autfienticates a user and authorizes the user 
for accessing a service offered by a service provider, the Authorization Moduie 
arranged for deciding whether a user is allowed to access a service and having; 

means for receiving a service authorization request from an Application 
Gateway Module; and 

means for returning to ttie Application Gateway Module a response on 
whether the user is granted access to the requested service; 

the Authorization Module comprising ; 

means for generating a service session identifier intended to correlate 
those application messages exchanged between the user and the service and 
that belong to a same service delivery authorized for said user; 

means for configuring a second finite-state machine with a number of 
statuses intended to identify specific events in service progression, the second 
finite-state machine usable by the Authorization Module to act over the Application 
Gateway Module to control the service progression; 

means for initiating a specific instance of the second finite-state machine, 
said specific instance being identified by said service session identifier; and 

means for determining service policies applicable to said specific events 
and resulting in a state transition in the specific instance identified by the assigned 
service session identifier. 



Many of these claimed elements are not disclosed or suggested by either 
Thomas or Karjala. For instance, Thomas discloses in paragraphs [0058]-[0059] an 
intermediary server, which the Office Action interprets as reading on the claimed 
Authorization Module. Thomas's paragraph [0059] discloses client nriachines accessing 
an internaediary server with requests for contents residing at private servers. The 
intermediary server, once the client machine is authenticated and authorized to get such 
contents, accesses the private server to obtain the requested contents and returns the 
contents to the requester client nfiachine. Since Thomas's intermediary server is 
interpreted as being both the Authorization Module and the Application Gateway Module 
in the present patent appiication, the various communications between these two 
modules are not considered to be relevant distinguishing features and will not be 
discussed hereinafter. 

However, Thomas's paragraph [0072] discloses the intermediary server storing 
session identifiers, or cookies, for the clients or requesters. There is no specific 
teaching in this paragraph on whether a user may have more than one session identifier 
at a time. More specifically, Thomas's storing session identifiers for the clients does not 
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teach the daimed "means for generating a service session identifier intended to 
correlate those application messages exchanged between the user and the service and 
that belong to a same service defivery authorized for said user." As already commented 
above with respect to claim 1 , there is one service session identifier for each service 
delivery so that, where more than one service is delivered within a session, 
corresponding more than one service session identifiers are assigned. Thomas, on the 
other hand, does not teach the service session identifier for each service delivery. 

Further, the Office Action interprets the teaching in Thomas's paragraph [0286] 
as teaching the claimed "means for configuring a second finite-Mate machine with a 
number of statuses intended to identify specific events in service progression, the 
second finite-state machine usable by the Authorization Module to act over the 
Application Gateway Modute to control the service progression." This same teaching 
has been also used to reject the first finite-state machine in the Application Gateway 
IVIodule in the independent claim 1 , Consequently, the same rationale used above with 
respect to Thomas's paragraph [0286] to defend the corresponding distinguishing 
feature of claim 1 can be used here to defend the second finite-state machine usable by 
the Authorization Module in claim 15, 

Likewise, the Office Action interprets Thomas's paragraph [0069] in combination 
with paragraph {0286J as reading on the claimed "means for initiating a specific instance 
of the second finite-state machine, said specific instance being identified by said service 
session identifier." The handling of cookies as disclosed in Thomas's paragraph [0069] 
has been discussed above with respect to claim 1 and is also applicable here. 
Consequently, the same rationale used above with respect to Thomas's paragraphs 
[0069] and [0286] to defend the corresponding distinguishing feature of ciatm 1 can be 
used here to defend the specific instance of the second finite-state machine, and 
identified by the service session identifier included in the Authorization Module under 
the independent claim 15. 

Still further, the Office Action relies on Karjala to read on the claimed "means for 
determining service poticies appjicabie to said speciftc events and resulting in the state 
transition in the speciftc instance identified by the assigned service session identifier." 
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Consequently, the same rationale used above with regard to the corresponding 
distinguishing feature of claim 1 can be used here as weSI. In view of at least the 
foregoing, Applicant respectfuiiy submits that the independent claim 15 and the 
corresponding dependent claims 16, 18-24 are patentable over Thomas, Karjafa, or any 
combination thereof. 

Ciaim 25 

Independent claim 25 recites the same or simiSar dsstingusshsng limitations that 
have been discussed above with respect to the independent claims 1 and 15. As such, 
the aforementioned remarks regarding the patentability of the independent claims 1 and 
15 apply as wefl to independent claim 25. Accordingly, Applicant respectfully requests 
reconsideration and aliowance of independent claim 25 and the corresponding 
dependent claims 27-30. 

Ciaim 31 

Independent ciaim 31 recites that the claimed means for activating service 
policies further includes; (1) means for statically arming at least one of the service 
policies before arrival of a first message to invoke the service; and (2) means for 
dynamically arming at least one of the service policies during the progression of the 
service. These new iimitations along with limitations that are similar to the ones 
discussed above with respect to claim 1 clearly distinguish the present invention over 
the cited references. Thus, Applicant respectfully requests reconsideration and 
aliowance of claim 31. 
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CONCLUSiON 

In view of the foregoing remarks, the Appiicant believes all of the claims currently 
pending in the Application to be in a condition for allowance. The Applicant, therefore, 
respectfully requests that the Examiner withdraw al! reiections and issue a Notice of 
Allowance for all pending claims. 

The Applicant requests a telephonic interview if the Examiner has any questions 
or requires any additional information that would further or expedite the prosecution of 
the Application. 



Date: June 13, 2011 
Ericsson Inc. 

6300 Legacy Drive, M/S EVR 1-C~11 
Piano, Texas 75024 

(972) 583-9447 
brian.kearns@ericsson.com 
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/Brian M. Kearns, Reg. No 62,287/ 

Brian M. Kearns 
Registration No. 62,287 
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